NCA ECC v2 — Essential Cybersecurity Controls — Full Compliance Guide

Overview

The Essential Cybersecurity Controls (ECC) issued by the National Cybersecurity Authority (NCA) are the mandatory baseline for every government entity, every government-affiliated body and every operator of national critical infrastructure in the Kingdom of Saudi Arabia. The current version is ECC-2:2024 (Arabic master, English reference). Non-compliance can result in administrative sanctions under Royal Decree A/6 of 1438H and the NCA's enforcement authority. Audit cycles are annual for critical sectors and biennial for the rest.

Who this applies to

• All government entities, their employees and their contractors.
• Government-affiliated bodies (universities, semi-autonomous agencies).
• Private-sector operators of national critical infrastructure (banking, energy, water, telecom, health).
• Any organisation hosting or processing data classified Top Secret, Secret or Restricted by KSA classification rules.
• Exempt: small private businesses that hold no sensitive data and provide no service to a covered entity.

Key domains and control families

ECC-2 is organised into 5 main domains and 29 sub-domains producing 114 controls. The five main domains are:

1. Cybersecurity Governance (1-x): strategy, policies, roles, risk management, project management, third-party.
2. Cybersecurity Defense (2-x): asset management, identity & access, system hardening, network security, mobile device security, data protection, cryptography, backup, vulnerability management, penetration testing, log management, cybersecurity incident management, physical security, web application security.
3. Cybersecurity Resilience (3-x): business continuity, disaster recovery aspects of cybersecurity.
4. Third-Party and Cloud Computing Cybersecurity (4-x): outsourcing, managed services, cloud usage controls.
5. Industrial Control Systems Cybersecurity (5-x): OT/ICS where applicable (extended in OTCC).

Step 1: Scoping

• Inventory every system, classify per the NCA Data Classification Policy (Top Secret / Secret / Restricted / Public).
• Identify "national critical systems" — anything whose disruption would impact national security, public safety, the economy or essential services.
• Pull every control where the criticality flag is C (mandatory for critical systems) versus N (normative baseline).

Step 2: Gap analysis

Use a control-by-control scoring sheet (NCA provides an XLSX template). For each control record:

• Implemented (Yes / Partial / No / Not Applicable)
• Evidence reference
• Owner
• Remediation due date

Step 3: Policy authoring (sample)

Cybersecurity Policy — Access Control (ECC 2-2-1)
1. All access to information systems shall be authorised, authenticated and logged.
2. Privileged accounts shall use MFA, be reviewed every 90 days and rotate
   credentials at least every 60 days.
3. Service accounts shall be vaulted and rotated automatically; no human
   shall know the password.
4. Dormant accounts (>45 days inactive) shall be disabled.
5. All access reviews shall be evidenced and retained for 36 months.

Step 4: Technical hardening

Wire CIS Benchmarks for every OS family in scope. Sample baseline for Linux servers carrying Restricted data:

# Disable root SSH, force key auth, enforce strong ciphers (ECC 2-3-3)
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/'          /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com' >> /etc/ssh/sshd_config
systemctl reload sshd

Step 5: Log management (ECC 2-12)

Minimum 12 months hot, 24 months cold; clocks synchronised via authoritative NTP. Sample Wazuh ruleset:

<group name="nca_ecc,auth">
  <rule id="100201" level="10">
    <if_sid>5710</if_sid>
    <description>NCA ECC 2-2-1: SSH failed root login attempt</description>
    <group>authentication_failed,pci_dss_10.2.4,nca_ecc_2_2_1</group>
  </rule>
</group>

Step 6: Mapping to ISO 27001

Roughly 78% of ECC controls map cleanly to ISO 27001:2022 Annex A. The remaining 22% are KSA-specific extensions (data residency, Arabic language requirements, KSA jurisdiction clauses, national CERT reporting). Keep a single matrix; one piece of evidence can satisfy both audits.

Step 7: Audit prep checklist

• Signed approval of every policy by the head of the entity.
• Quarterly KRI report to executive management.
• Penetration test report dated within 12 months.
• Vulnerability scan results dated within the last 30 days.
• Incident response playbooks tested in the last 6 months (tabletop log).
• Backup restore test evidence dated within the last 3 months.
• Third-party assurance letters for every cloud and outsourced service.

Common gotchas

• "Best-effort" backups without a tested restore — auditors will mark the entire BC domain non-compliant.
• Generic templated policies without the entity's name, scope and owner table — automatic finding.
• Log retention configured but disk auto-deletes after 30 days — evidence the rotation policy.
• MFA on the VPN but local admin accounts on workstations still single-factor — fails 2-2-1.

Verification — audit-ready evidence

• Asset register exported with classification per row.
• Hardened build baselines per OS, signed off by the CISO.
• Quarterly access-review attestations.
• Annual penetration test, scoped to in-scope systems, with retest evidence on every finding.
• Trained-personnel register: SACA/Saudi cybersecurity certifications for the SOC team.

Conclusion

ECC compliance is a programme, not a project — treat it as the constitution your IT operations live under. Map every operational control to an ECC clause and every clause to a single piece of evidence; the rest is hygiene.

Related guides

• NCA CCC — Cloud Cybersecurity Controls
• Building an NCA-Compliant SOC
• NCA Saudi Cybersecurity Framework — Crosswalk to NIST CSF and ISO 27001